Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change the format of the table output?

jgcsco
Path Finder
‎04-08-2015 01:28 PM

I have this search:

[search] | stats count by Status Errors | eventstats sum(count) as StatusCount by Status| eventstats sum(count) as TotalCount | search Status = "Failed" | eval percent=100*StatusCount/TotalCount | where percent > 1 | table percent Errors count

Which produces the following result:

percent   Error     count
1.2       error1      A
1.2       error2      B
1.2       error3      C

Since the percent here is the total error percent, I would like the result to show as the following:

percent  1.2
Error    count
error1     A
error2     B
error3     C

Or

Error    count    percent 1.2
error1     A
error2     B
error3     C

Can this be done?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-08-2015 03:03 PM

This is ugly, and not quite what you're looking for but ...

 $SEARCH | stats count by Status Errors 
| eventstats sum(count) as StatusCount by Status
| eventstats sum(count) as TotalCount | search Status = "Failed" 
| eval percent=100*StatusCount/TotalCount | where percent > 1 
| table percent Errors count
| appendpipe [ | stats max(percent) as count  | eval Errors="percent" ]
| fields - percent

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-08-2015 03:03 PM

This is ugly, and not quite what you're looking for but ...

 $SEARCH | stats count by Status Errors 
| eventstats sum(count) as StatusCount by Status
| eventstats sum(count) as TotalCount | search Status = "Failed" 
| eval percent=100*StatusCount/TotalCount | where percent > 1 
| table percent Errors count
| appendpipe [ | stats max(percent) as count  | eval Errors="percent" ]
| fields - percent
Reply
Solved! Jump to solution

jgcsco
Path Finder
‎04-08-2015 05:48 PM

Thanks, although a bit ugly, but it is very close to what I am looking for.

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎04-08-2015 02:51 PM

Hi jgcsco
try this search code

     [search] | stats count by Status Errors | eventstats sum(count) as StatusCount by Status| eventstats sum(count) as TotalCount | table  Errors count|appendcols[search Status = "Failed" | eval percent=100*StatusCount/TotalCount | where percent > 1 |dedup percent| table percent]
0 Karma
Reply
Solved! Jump to solution

jgcsco
Path Finder
‎04-08-2015 02:55 PM

Thanks, I was wondering if there is a way to avoid using "appendcols".

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...